Attackers appear to have targeted a Twitter customer support API. A successful attack would have revealed the country code associated with a user's phone number, if they had registered one with Twitter, as well as whether Twitter had locked their account, the social networking giant says in a blog published on Monday.

"During our investigation, we noticed some unusual activity involving the affected customer support form API," it says. "Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors."

Twitter says it has shared its findings with law enforcement agencies. "Importantly, this issue did not expose full phone numbers or any other personal data," Twitter says in its security alert. "We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted. No action is required by account holders and we have resolved the issue."

Twitter's stock price plunged 7 percent in Monday trading, apparently as a result of its security alert.

The social networking giant said it blocked the attacks on Nov. 16 after first beginning to investigate them on Nov. 15. It has not said how long the attacks may have persisted. Twitter did not immediately respond to a request for clarification.

Malware Responds to Twitter Memes

Separately, on Friday, information security firm Trend Micro warned that attackers have been disseminating image memes via Twitter that are being used to provide remote command-and-control services for malware-infected PCs. It says hardcoded URLs, spread via posts to the free text-sharing service Pastebin, are then being used to help exfiltrate stolen data.

"Steganography, or the method used to conceal a malicious payload inside an image to evade security solutions, has long been used by cybercriminals to spread malware and perform other malicious operations. We recently discovered malicious actors using this technique on memes," says Aliakbar Zahravi, a malware analyst at Trend Micro, in a blog post.

The authors of malware called Berbomthum have used a Twitter account, first created in 2017, to post two tweets that contain image memes, he says.

"The memes contain an embedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto the victim's machine, acting as a C&C service for the already placed malware," he says. "Hidden inside the memes mentioned above is the '/print' command, which enables the malware to take screenshots of the infected machine. The screenshots are sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com."

A screen capture of the offending Twitter account and one of the malicious memes (Source: Trend Micro)

Twitter did not immediately respond to a request for comment on Trend Micro's report.

Zahravi says it's not yet known how PCs first become infected with Berbomthum. In general, however, security researchers say that most malware attacks, including ransomware, tend to be distributed via spam or phishing emails (see:Ransomware Keeps Ringing in Profits for Cybercrime Rings).

This isn't the first time that malware writers have employed steganography to remotely control infected systems. Lurk malware, for example, was previously modified to serve as a dropper and download image files with malware hidden inside (see: Russian Police Bust Alleged Bank Malware Gang).

Nor is this the first time that Twitter posts have been used to issue instructions to malware-infected PCs. In 2013, for example, Russian security firm Kaspersky Lab and Budapest-based CrySyS Lab warned that they'd discovered an online espionage campaign that utilized attack code called MiniDuke, which looked to specified Twitter accounts to retrieve C&C instructions.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.